On Friday, the secret-spilling group announced that it has finally relaunched a beta version of its leak submission system,
a file-upload site that runs on the anonymity software Tor to allow uploaders to share documents and tips while protecting their
identity from any network eavesdropper, and even from WikiLeaks itself. The relaunch of that page--which in the past served as the
core of WikiLeaks' transparency mission--comes four and a half years after WikiLeaks' last submission system went down amid infighting between WikiLeaks' leaders and several of its disenchanted staffers.

[...]

The long hiatus of WikiLeaks' submission system began in October of 2010, as the site's administrators wrestled with disgruntled staff members who had come to view Assange as too irresponsible to protect the group's sources.

After 5 years of broken promises, WikiLeakS have now re-launched something which is similar to the more widely deployed open source@SecureDrop or @GlobaLealeaks platforms which several media organisations and couple of individual journalists offer, as one of the channels to contact
them securely, with or without actual leak documents.

N.B. you have to hunt for the "Submit" button link in a drop down menu on the WikiLeakS.org home page

This WikiLeakS system also relies on Tor, something which their previous efforts only used sporadically and inconsistently.

The Tor Hidden Service .onion address (which only works if you are using a Tor enabled web browser) is:

The optional Questions on the submission form, imply that publication of the leaked data or documents can be delayed e.g. until after the
whistleblower has left their current employer, but there are no guarantees as to if, or when a document will ever be published by wikiLeakS.org.

The neglect of small scale, limited audience leaks, in favour of meglomaniacal mega leaks, is what led in part, to the revolt of so many of the early WikiLeakS volunteers against the dictatorial and cultish Julian Assange 5 years ago.

Until WikiLeakS explain in detail what happens next to a leaked document, once it has been uploaded, and exactly who has access to it, or to any
correspondence with the whistleblower, nobody, especially not "national security" whistleblowers should use this system.

Who owns the leaked documents & what is the redaction policy?

Given the previous attempts by Assange & WikiLeakS to claim exclusive ownership and copyright of, essentially, other people's stolen information,
the fact that there is no policy statement about the ownership of leaked material, is telling.

Do whistleblowers automatically hand over all rights and control over the release and any censorship or redaction of innocent 3rd parties personal details which may be in the leaked documents to Assange or to WikiLeakS ?

8192 bit GPG Key

Over 7 years after letting their first public GPG key 0x11015f8 expire without replacement,nging that there were some fake keys on (insecure) public keyservers, and whinging that some people were using PGP/GPG insecurely
(without any detailed guidance from the supposed experts at WikiLeakS.org themselves), they have now published a new 8192 bit GPG Public encryption Key:

There is no cryptographic reason to use 8192 bit key - it is not in practice any stronger than an already unbreakable 2048 or 4096 bit key.

So few people have or use 8192 bit keys, that its use makes it a characteristic marker, likely providing circumstantial evidence linking, on the balance of probabilities, any seized or stolen encrypted documents on a whistleblower's computer or USB media to WikiLeakS, regardless of the use of "throw-keyids" or the fact that the encrypted file cannot be de-crypted by the authorities or thieves.

There is no advice on the WikiLeakS.org website about how whistleblowers should use the GPG software properly, on different plaformse.g.
password lengths, extra hash protection of their private keys in the keyring, physical protection of the keyring, the use of throw-keyids etc. etc.,

Unlike SecureDrop, there is no leak submission contact messaging channel within the submission system workflow

WikiLeakS have added a .onion Tor Hidden Service to their existing web chat system

http://wlchatc3pjwpli5r.onion and https://wikileaks.org/talk

N.B. the customised / branded first few digits of the chat system's Tor Hidden Service (presumably done using a GPU based hash generator like Scallion
which they did not bother with for the leaked document submission system.

They also publish a non-Tor Hidden Service url for this chat system, so it may be ok for general chat with WikiLeakS staff or volunteers,
but any "national security" whistleblower should steer clear of it, even via Tor as the chat servers can be tracked down (for potential seizure or man in the middle attacks) via the non-Tor users

Using any form of real time communications either encrypted chat or phone calls is too risky between genuine "national security" whistleblowers and a heavilly surveilled target like WikiLeakS.org
- there is no scope for "plausible deniability" or an alibi, unlike with e.g. programmatic ally time delayed sending of encrypted emails or other online publications

Other submission technologies inspired by WikiLeaks, such as the European-based GlobaLeaks and the US-based Secure Drop, while both excellent in many ways, are not suited to WikiLeaks'
sourcing in its national security and large archive publishing specialities. The full-spectrum attack surface of WikiLeaks' submission system is significantly lower than other systems and is optimised for our secure deployment and development environment. Our encrypted chat system is integrated into this process because sources often need custom solutions.

No ! The "full-spectrum attack surface" of WikiLeakS's system is no better than that of any other Tor Hidden Service.

Potential whistleblowers have no way of judging whether WikiLeakS' secret internal computer and human systems are
any better or worse than those of SecureDrop or GlobaLeaks or other submission systems.

The next paragraph shows that Assange et al are still creating solutions to straw man problems, whilst ignoring the real risks to potential whistleblowers

For example, one of the problems with public-facing submission systems is bootstrapping. The fact that
a source is looking at instructions that are telling them how to submit material could be used as
evidence against them if there is an SSL key break. To prevent this, we deploy the full bootstrap
instructions and keys on millions of WikiLeaks pages across our full server network. When the
"Submit" button is pressed, there is literally zero network traffic as a result, because all
these details are downloaded everytime anyone looks at nearly any page on WikiLeaks. We cover
the source bootstrap process with our millions of page views by readers.

These "millions of web pages" are a red herring and do nothing to obscure the traffic generated by the whistleblower, especially when they choose to hit the Submit button.

The time, date and the number of bytes of data which the whistleblower uploads to WikiLeaks is still observable, regardless of the fact that it is encrypted.

If anyone on a government or military network visits any part of the WikiLeakS.org website from work, that is likely to be flagged as suspicious behaviour regardless of how innocuous the content of a web page may be.

Their submission system provides no tools and not even any advice or instructions on splitting up or combining or padding out documents
so as to hide their potentially characteristic size from ISP or state state communications data traffic analysis.

If you have any issues talk to WikiLeaks. We are the global experts in source protection - it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly.

This includes other media organisations

The claim that "We are the global experts in source protection", is, of course, exaggerated.

WikiLeakS.org has not proved to be any better at avoiding infiltration and surveillance than other media organisations or activist groups or intelligence agencies .

Given how the main WikiLeakS source Bradley now Chelsea Manning (now serving 35 years in prison) was not handled properly as a source by Assange (publication seems to have been more important to him than the welfare of Manning) it seems unlikely that WikiLeakS will ever again be handed large scale leaks or any "national security" leaks via this submission system.

It is very telling that despite the help that Sarah Harrison later gave to Edward Snowden between Hong Kong and Moscow, he did not trust WikiLeakS or Julian Assange with his revelations.

Assange is still in self exile in the Ecuadorian Embassy in London, trying to evade extradition to Sweden on alleged sex offences.

As such, given the millions of pounds UK taxpayers' money & the Metropolitan Police Service overtime being wasted on him he is likely a very high profile target for GCHQ and other signals and human intelligence agencies.

If, as we suspect, he is still heavily involved in the WikiLeakS editorial process, he himself is probably the greatest risk to the anonymity and safety of any "national security" whistleblowers stupid enough to contact WikiLeakS.org

This ladylike tote is updated for summer, offering effortless chic all season long. In luxurious black nappa leather with a laser cut panel, this sophisticated style features a silver charm and trims for a luxurious finish. Wear with the season's soft tailoring and the matching flats for the ultimate in day-time chic.

Given WikiLeakS.org notorious finances and attempts to exclusively commercialise the property and work of others, we won't be surprised if they try to legally threaten Russell & Bromley for a cut of the profits.

N.B. this blog has more right to the name WIKILEAK (without the "s") than the Assange cult does.

"Whether a European Arrest Warrant ("EAW") issued by a public prosecutor is a valid Part 1 EAW issued by a "judicial authority" for the purpose and within the meaning of sections 2 and 66 of the Extradition Act 2003. "

The Assangistas do not appear to have noticed how the choice of Supreme Court Justices to hear this case, appears to be stacked against Julian Assange,
if you assume that they are not ignorant of the WikiLeaks media hype and allow this to influence them to some extent in this European Arrest Warrant case.

Lord Phillips of Worth Matravers

"Lord Phillips is the first President of The Supreme Court, having been Senior Law Lord from 1 October 2008. He was previously the Lord Chief Justice of England and Wales."

As the President of the Supreme Court, he could decide to make the lead opiion, on the important legal point of the use or abuse of European Arrest Warrants, a system which must be reformed.

Or he could leave it to Lord Brown's last judicial opinion before retirement.

Lord Brown of Eaton-under-Heywood

Techically he has retired from the Supreme Court on his 75th birthday on the 9th of April, but the Supreme Court has discretion to appoint recently retired Justices and he had not yet retired when the case was being considered from January onwards.

He produced the lead opinion in the Law Lords (who were re-branded as the Supreme Court) in their rejection of the Appeal by Gary McKinnon extradition to the USA case. Assange is correct to fear that he may be extradited to the USA to face simuilar computer hacking of US military computer charges or worse.

He even managed to sneak in some damaging nonsense implying that the as yet unproven allegations against Gary McKinnon regarding the New Jersey naval base, were somehow akin to creating a danger to navigation i.e. like a Cornish Wrecker or someone who moves marker buoys etc.

"the equivalent domestic offences include an offence under section 12 of the Aviation and Maritime Security Act 1990 for which the maximum sentence is life imprisonment."

even though the US authorities have never alleged this and any Naval Captain should be
court martialled if he relies on unencrypted internet emails, rather than lookputs, radio, radar, sonar, charts, Global Positioning Satellite systems etc. for navigation or the safety of his ship.

Lord Phillips of Worth Matravers was content to agree with Lord Brown over the Gary McKinnon appeal rejection, so he is likely to do so again, if Lord Brownis given the job of writing the lead opinion.

The Assangista conspiracy theorists do not seem to have realised that "Lord Brown also served as President of the Security Service Tribunal from 1989 to 2000, President of the Intelligence Services Tribunal from 1995 to 2000, Intelligence Services Commissioner from 2000 to 2006"

He utterly failed to convince anyone that the role of Intelligence Services Commissioner provided a method of "security cleared" protection for the general public against any bureaucratic excesses or malpractice by GCHQ, MI5 the Security Service or MI6 / SIS the Secret Intelligence Service

Lord Brown will be completely familiar with the "special intelligence relationship" i.e. "bend over backwards to the USA" attitude

It will be utterly astonishing if Lord Brown finds in favour of Julian Assange.

Lord Kerr of Tonaghmore

Lord Kerr is a former Crown Prosecutor and then Chief Justice of Northern Ireland i.e. he and his family have been / still are under the threat of assasination and worse by terrorists,
Several of his colleagues will have been threatened or killed during "The Troubles".

He is likely to be very familiar with the need to protect the identities and lives of Covert Human Intelligence Sources.

He is extremely unlikely to be sympathetic to Assange's recklessness / malice in publishing the unredacted names of people mentioned in the WikiLeaks US Diplomatic Cables and the Afghan and Iraq war diaries and even the personal details of the
hated and derided, but still legal British National Party members, some of whom were then harassed.

Lord Wilson of Culworth

A recent appointee to the Supreme Court, he "was a judge of the Family Division of the High Court. From 2005 until May 2011" presumably he will be familiar with "he said / she said" domestic arguments and alleged sexual offences between initially consenting adults.

At a guess he will be the most sympathetic to Assange's "rape trial by media", but he is unlikely to dissent from the lead opinion of his more senior colleagues.

The only thing worse for Julian Assange than a rejection of his Supreme Court Appeal, in which case he will be sent off to Sweden forthwith (assuming that the European Court of Human Rights does not allow an appeal), would be for the Supreme Court to allow his Appeal.

If Julian Assange is not to be extradited to Sweden on the dusbious "invetigation without charge" European Arrest Warrant, then he will be far more likely to be arrested and held in the United Kingdom, if the United States authorities unseal their Grand Jury Indictment of him in relation to the Bradley Manning military case, which appears to have provided WIkiLeakS/org with so much material.

Extradition from the UK to the USA requires no prima facie case, just like the European Arrest Warrant and so it is much more likely to happen from the UK than from Sweden.

The increasingly Julian Assange centered WikiLeakS.org project recieved a media hype and publicity boost before Christmas 2011, when they appear to have been handed some or all of the hacked emails from the pretentious "private intelligence agency" company Stratfor.

Some of the "Anonymous" / "LulzSec" gang of hackers, who were under the influence and perhaps the control of an FBI coerced informant and agent provocateur (Hector Xavier Monsegur supposedly the LulzSec twit "Sabu") have been arrested and charged with this computer crime. They even stored the alleged millions of emails from Stratfor on a server under the control of the FBI.

There has been no noticable support for any of them by Julian Assange, even though at least two of them (Ryan Ackroyd "Kayla", Jake Davis "Topiary") have been indicted in the USA and could be facing extradition from the United Kingdom, unlike Assange himself, who is fighting an unjust European Arrest Warrant extradition to Sweden on sexual offences charges.

All the above is background information relevant to the question in the title of this blog post: Why has WikiLeakS.org not published any Stratfor email headers ?

WikiLeakS.org has been milking a very small selection of Strafor emails for "maximum publicity", but with almost zero political impact, since 27th February, when they launched a subection of their main website (not, this time, chossing to use a subdomain or a different domain name like they did for collateralmurder.com)

The Stratfor emails are being touted as The Global Intelligence Files, using similar hype to that which the notorious and obviously cyber security inept Texas based private think tank likes to puff itself up with.

Julian Assange / @wikileaks twitter feed has been claiming that the formerly private rumours and speculation by Stratfor employees such as Fred Burton, who used to be employed by the US Government, are somehow actually official US Government policy or the "truth", even when other Stratfor employees have, sensibly, tagged such rumours as "single source" or "unverified".

The claim by WikiLeakS.org is that they are publishing 5 million emails, but they have not actually done so.

They have published 935 extracts in just under a month. At that rate it will be about 96 years before they publish 5 million email extracts. Surely even the second (or third) division media partners listed by WikiLeakS.org, since Julian Assange has lost the trust of The Guardian, the New York Times, Der Spiegel etc. etc., will have moved on to other stories by then ?

Despite claiming to have somehow invented "scientific journalism", whereby the original document sources of information for a story are made available to the public for expert analysis, Julian Assange has not done this with the Strafor emails, since the extracts do not contain any actual email header information, listing email clients, mailservers and IP addresses etc.

Why not ?

What is Assange hiding ?

Did the FBI controlled "Sabu" make sure that WikiLeakS.org only got a censored version of the Stratfor emails ?

Since there is no WikiLeakS.org secure document submission system, or published PGP Public Encryption Key, how did the Anonymous / Lulzsec/ FBI contact Julian Assange / WikiLeakS.org ?

Did WikiLeakS.org / Julian Assange actively reach out to the pompous "Sabu" over IRC and or Twitter ?

Is the Stratfor email "leak" an attempt to drag Julian Assange and other WikiLeakS.org people into the credit card fraud and computer intrusion criminal cases which are currently in motion regarding Stratfor and other Anonymous/Lulzsec targets ?

Apologies for the hiatus in blogging about the WikiLeakS.org soap opera, there are plenty of better things to do with limited resources.

We cannot be bothered to remember why the WikiLeakS.org front end web server was no longer hosted by PRQ Internet in Stockholm, leading to the use of dodgy Russian "bulletproof hosting" / cyber crime friendly ISP, whilst the main website ended up at WikiLeakS.ch, with the help of the pan-European Pirate Party (a genuine political party representing a minority of IT literate voters).

There were also experiments with Cloud Hosting suppliers like Amazon EC2 in Ireland and OVH in France, but WikiLeakS.org broke their terms of service and / or they succumbed to political pressure.

Whether the actual backend server(s) are still hosted by another Swedish ISP Bahnhof in a former nuclear war shelter is unclear.

However, WikiLeakS.org website and email system now appears to be back with PRQ Internet again, the ISP which hosted them during the dangerous-internet-freedom attack through the US Federal Court system, on their US Domain Name registrar, by the Swiss private bank Bank Julius Baer.

IP address: 88.80.2.31
Host name: wikileaks.org

Alias:
wikileaks.org
88.80.2.31 is from Sweden(SE) in region Scandinavia

The return to PRQ Internet makes WikiLeakS.org less resistant to attacks on the DNS providers through the legal system or through Denial of Service attacks, since they only currently list the USA based DynaDot name servers:

ns2.dynadot.com [50.112.108.69]
ns1.dynadot.com [50.112.107.96]

Compare this to wikileaks.ch, which sports multiple DNS servers in multiple legal jurisdictions:

Julian Assange speaking at the Frontline international press club in London, on Tuesday 24th October 2011 claimed that:

On November 28th, the one year anniversary of CableGate, we will launch our new generation submission system.

That includes, not just, a public interface, but also several other mechanisms that are necessary to deal with an attack on the entire internet security system, that has been established over the last few years, by intelligence agencies and criminal groups.

However the press conference in London was postponed from Monday 28th November to Thursday 1st December at an unannounced location (which turned out to be the City University), before a pre-registered audience of picked journalists.

None of these picked journalists seemed to ask any technical questions or any questions about Assange's Extradition to Sweden case.

So where were the details of this "new generation submission system." (remember that the old one has been broken for over 2 years now) ?

There was no such launch immediate announcement , nor a date for a future launch.

There were no technical details at all

Neither was there any hint about a "look and feel" prototype or whether or not the source code would be made public to be examined by independent experts or the public

Even so, some media outlets are incorrectly reporting that a new submission system has somehow been launched !

Instead there was the announcement of yet Another Wikileaks Spin Off website which "revealed" some 280 documents, mostly sales brochures and presentations about surveillance industry products, which are used both by legitimate Governments to help track down criminals and terrorists and by illegitimate Governments to suppress political opponents and freedoms (some Governments do both at the same time).

All of these documents appear to have been already published on other websites and (until some of them are removed) many are still available on the manufacturer's own corporate websites.

Nobody has so far managed to find any of these documents which was first made public by WikiLeakS.org,

This market research was actually done by by Privacy International (Eric King @e315) and The Bureau of Investigative Journalism and by associates of the German Chaos Computer Club e.g. buggedplanet.info (domain name registered by Andy Mueller-Maguhn @mueller_maguhn) etc.

So what exactly did WikiLeakS.org contribute to this research ? WikiLeakS.org and Tor associate Jacob Appelbaum (@ioerror) has been doing his own research into say, satellite phone / data links for use in "Arab Spring" countries but he probably would have done this even without Julian Assange anyway.

Julian Assange provided a media sound bite, by asking if any of the assembled picked audience of journalists had an iPhone or a BlackBerry (Julian raised his own hand to both of those) or used Gmail. He then vaguely claimed that they were "all screwed",but he provided no specific examples of which of the list of products could actually be used to snoop on journalists or innocent members of the public without their knowledge.

Presumably Privacy International and The Bureau of Investigative Journalism etc. whose representatives spoke briefly on the platform dominated by Julian Assange, are happy with the media coverage generated, something which may not be possible soon if Assange is extradited to Sweden and is held in custody again.

Some of their supporters, this blog included, are not so happy to see Julian Assange claiming all the credit for this research project, none of which actually involved the supposed WikiLeakS.org anonymous whistleblower leak submission and publication system at all.

Julian Assange speaking at the Frontline international press club in London, on Tuesday 24th October 2011

Approx 1 hour 5 minutes near the end of the video clip:

The fallout from that was the we viewed that our submission system could not be trusted any more

So did everyone else with any clues about computer security and anonymity, including Daniel Domscheit-Berg and the "Architect", which is partly why they left in the first place.

As a result we have had to completely re-engineer, from scratch, a new generation submission system.

On November 28th, the one year anniversary of CableGate, we will

Now, wikileaks has never had only the one submission system. We've received information in a wide variety of means, just like intelligence agencies and professional, mainstream media organisations, receive their information from a wide variety of means.

It has been important to us, to always have a wide variety of means, so no one mean becomes the sole, the sole subject of infiltration or investigation.

However, for the last, for the last 12 months, for the last 12 months, you haven't been able to go through the front door to submit wikileaks sensitive, information

You've had to establish, contacts, with the organisation and transmit us the material through other mechanisms.

Is Assange claiming that people have actually been stupid enough to submit sensitive material to him in the last 12 months, through other means ?

Why has he not bothered to publish any of this new, "non-Bradley Manning" sourced stuff then ?

How exactly are these "other means" actually Anonymous or Secure ?

Remember that wikileaks stopped publishing a PGP Public Encryption Key years ago and their incompetence in using PGP as a means of symmetric encryption and then stupidly publishing their CableGate archive online around the world and the re-using the same pass phrase with Guardian journalist David Leigh, was an

Similarly, they stopped publishing a Tor Hidden Service even before they stopped accepting new submissions.

On November 28th, the one year anniversary of CableGate, we will launch our new generation submission system.

That includes, not just, a public interface, but also several other mechanisms that are necessary to deal with an attack on the entire internet security system, that has been established over the last few years, by intelligence agencies and criminal groups.

Right now, it is not possible to trust any https:// connection on the internet.

Utter rubbish !

Even wikileaks.org itself has, at various times, published a Self Signed Digital Certificate and has published the MD5 and SHA-1 cryptographic hash fingerprints, without relying on any built in web browser trust of Certificate Authorities.

It is not possible your banking system, it is not possible to trust any, regular, web based secure encryption system

What about banks which use SSL v3 Client Side Digital Certificates for mutual client / server authentication, without the need for any external Certificate Authority ?

That is because, intelligence agencies have infiltrated , a number of Certificate Authorities. Certificate Authorities are those authorities which
sign the cryptographic keys that are used for secure internet communication.

On November 28th, we will release our alternative to that system, which is independent of all Certificate Authorities

Is the something which Julian and his cult have created from scratch, or will they just steal / borrow the work of Moxie Marlinspike and SSLLabs etc. with Convergence ?

Remember that SSL / TLS encryption only provides Secrecy about most of the contents of an encrypted session, it does not provide any Anonymity, and, may in fact provide less anonymity than a non-SSL connection via a shared proxy server.

A question from the floor:

"I understand that you may be limited in what you can say, but how have you manage to get around the fact, that in your eyes, Certificate Authorities can't be trusted, with this particular submission system ?"

01:08:57

We will give full details here, on a conference, on November 28th

Full details ?? Don't hold your breath.

Will they publish the source code of their system, or even a detailed security architecture of what is is intend to actually do and protect against ?

On past performance, this is extremely unlikely.

I would like to say, that in that, this problem has been brewing over a number of years, and we were aware of it before, back in 2010, and we had a number of mechanisms to ameliorate that, ahh, thousands of robots that went out over the internet, to simulate being sources, to check to see, whether these "men-in-the-middle" or fabricated certificates existed.

So we had a number of different mechanisms to try to ameliorate that problem, but it is our view that the problem has now gone so severe, that even those attempts to ameliorate it, can no longer be trusted to the degree, that our sources expect us, to be able to solve the problem

More nonsense from the deliberately deceptive Julian Assange:

"thousands of robots" ??

At the time they claimed that this was to provide "cover traffic" to help to confuse Communications Traffic Analysis and thereby to improve the Anonymity of the submission system

This could not and would not have tested for any SSL "man-in-the-middle" attacks on the Security / Privacy of submissions.

Neither could it have detected compromised Certificate Authorities around the world, especially in places where the Government also controls international internet access.

Even if it was meant to do so, they obviously failed to detect a single example of such an attack aimed at wikileaks, or if they did, they must have covered it up.

Regardless of the technical merits of this new submission system, any whistleblower with really sensitive, life threatening information to publish, would have to be suicidal to trust Julian Assange and his WikiLeakS.org cult followers with it.

It looks as if WikiLeakS.org / Julian Assange's stupid decision to abandon use of PGP encryption, back in 2007 has come home to roost, with the revelation that they idiotically re-used a symmetric encryption key password and ineptly published a full archive of the controversial US Embassy / State Department Diplomatic Cables on BitTorrent peer to peer file sharing networks

The fact that they published this unredacted archive at all via BitTorrent shows how chaotic and incompetent Julian Assange and his motley crew of inexperienced acolytes had become after Daniel Domscheit-Berg and the "Architect" left them.

The end result is that there are now many people around the world, including all the repressive governments mentioned in the quarter of a million Diplomatic cables who can now simply search for key words like (strictly protect), to find the names of informants and information sources who have been in contact with US Embassy diplomats and who could therefore now be easily persecuted.

See the Cryptome.org for a direct file link to z.gpg or to this torrent link to the same encrypted compressed file via BitTorrent peer to peer filesharing.

John Young's evident glee that WikiLeakS.org have now published the full, unredacted archive of US Diplomatic Cables, is, in its own way, just as reprehensible as Julian Assange's indifference to the fate of vulnerable individual human beings named in the cables.

He of all people should know that the US Government neither has the time, the money , nor the inclination, nor the bureaucratic efficiency to warn or protect the hundreds of named informants or contacts, which have now been betrayed to the world, an action which has been universally condemned by WikiLeakS.org's former mainstream media partners and by human rights organisations.

This is in addition to the names of political dissidents who were in contact with the US Embassy in Belarus which Assange has already handed over to the Lukashenko dictatorship via the holocaust denier Israel Shamir.

Some "open source" / "full disclosure" advocates are making the spurious claim that the publication by WikiLeakS.org of the unredacted cables.csv and onto their searchable web site front end, is somehow better for any political dissidents or confidential sources who had dealings with the US Embassies and whose names are tagged with (strictly protect) and other markers.

Firstly, not all political dissidents in repressive countries have access to the internet at all, let alone to fast, secure, anonymous connections which would allow them to download the massive cables.csv file itself or to use the (insecure) WikileakS.org cable search websites.

None of these websites employ SSL Digital certificates or provide Tor Hidden services etc. to mask the identities of people searching for their own names or those of their family or friends.

Some of the people mentioned in the US Embassy cables several years ago, could in fact be in prison or under investigation for other reasons in 2011, without any or without any safe internet access at all. Being named as having been in contact with the US Embassy, even several years ago, could easily lead to charges of espionage etc. in insane countries like Iran.

Julian Assange's disregard for the Sensitive Personal Data of innocent individuals and his organisation's utter incompetence at handling such data securely, is indistinguishable from that displayed by many of the government bureaucracies you would expect him to be opposed to. Do not to trust him or WikiLeakS.org with any future whistleblower leak material, Find another post WikiLeakS.org website or organisation instead - see the listing and analyses at LeakDirectory.org wiki.

WikiLeakS.org and PGP Public Key Encryption

WikileakS.org abandoned even their limited use of PGP Encryption with the public or with the media, back in 2007, when they let their published PGP key expire.

If they had been using Public Key Cryptography last year, to encrypt correspondence or documents or files using their recipients' individual Public Keys, then there would have been no password for the incompetent WikiLeakS.org activists to re-use .

Every copy of the controversial cables.csv file could have been encrypted with a different recipient's Public Key and would have had a different symmetric encryption key (which no human would could have been capable of revealing, even under torture).

Not even WikiLeakS.org / Julian Assange could have decrypted a seized or intercepted or publicly leaked copy of such an encrypted file, only the recipient with access to his or her own private decryption key could have done so.

Either Julian Assange is ignorant of how to use Public Key Cryptography (hardly likely for someone who has tried to write cryptographic software himself) or he and the #wikileaks twitter feed are lying again:

@ABCTech It is false that the passphrase was temporary or was ever described as such. That is not how PGP files work. Ask any expert.

6.32 AM September 1st 2011

To decrypt a file encrypted with PGP using a recipient's Public Key, you need to have physical access to the Private De-Cryption key, which is not accessible to anyone who copies or intercepts the encrypted file in transit.

Obviously the password which unlocks the Private De-Cryption Key from your PGP Keyring can be changed.

Symmetric encryption unprotected by Public Key encryption is just an option with PGP, but that is not how PGP is designed to be used to protect files in transit over the internet or on vulnerable USB memory sticks !

There was nothing, except for laziness or incompetence, which prevented Julian Assange or his followers from securely destroying the symmetrically encrypted cables.csv compressed file archive immediately after he gave it to David Leigh and then re-encrypting it from the master copy with a different key and passphrase. This master copy , we assume, given the dispute between Julian Assange and Daniel Domscheit-Berg, would have been held on a separately encrypted computer file system anyway.

The award winning investigative journalist at The Guardian newspaper David Leigh's book:

did reveal on pages 138 to 139 an unnecessary password, which he rightly assumed would only be a temporary one, but which should never have been re-used by Julian Assange in the first place.

Leigh refused. All or nothing, he said. "What happens if you end up in an orange jump-suit enroute to Guantánamo before you can release the full files?" In return he would give Assange a promise to keep the cables secure, and not to publish them until the time came. Assange had always been vague about timing: he generally
indicated, however, that October would be a suitable date. He believed the US army's charges against the imprisoned soldier Bradley Manning would have crystallised by then, and publication could not make his fate any worse. He also said, echoing Leigh's gallows humour: "I'm going to need to be safe in Cuba first!"

Eventually, Assange capitulated. Late at night, after a two-hour debate, he started the process on one of his little netbooks that would enable Leigh to download the entire tranche of cables. The Guardian journalist had to set up the PGP encryption system on his laptop at home across the other side of London. Then he could feed in a password. Assange wrote down on a scrap of paper:ACollectionOfHistorySince_1966_ToThe_PresentDay#. That's the password," he said. "But you have to add one extra word when you type it in. You have to put the word '"Diplomatic' before the word 'History'. Can you remember that?"

"I can remember that."

Leigh set off home, and successfully installed the PGP software. He typed in the lengthy password, and was gratified to be able to download a huge file from Assange's temporary website.

So having given Leigh instructions about downloading and installing PGP software, Julian Assange failed to instruct him to generate a Public / Private key pair and to send him the Public Key, so that Julian could individually encrypt the the cables.csv compressed archive just for David Leigh and nobody else.

At the face to face meeting described in the book, Julian Assange could easily have given David Leigh a copy of a WikiLeakS.org Public Encryryption Key for him to install when he set up the PGP software on his laptop as instructed, or pointed him to an online version.

They could have agreed a pre-shared secret for extra authentication.

David Leigh could then have been instructed to generate his own Public / Private keypair (protected in his PGP Keyring by his own strong passphrase) and to send a Digitally Signed and Encrypted copy of his Public Key back to Jullian Assange via email etc. together with the pre-shared authentication secret, all encrypted with the WikiLeakS.org Public Key. This should have been sufficient cryptographic proof that David Leigh's Public Key was the correct one, since nobody else apart from Julain Assange / WikiLeakS.org could have read the contents of that message.

Julian Assange could then have encrypted the compressed cables.csv file with David Leigh's Public Key and pointed him to the secure website he had set up for the encrypted file to be downloaded from

This encrypted file could only have been de-crypted by someone in possession of both David Leigh's passphrase and the corresponding Private Key in the PGP Keyring on David Leigh's MacBook laptop.

If WikiLeakS.org had been regularly using PGP over the years, even inexperienced members of the cult would have been familiar with these simple, well documented concepts.

If that copy of the encrypted file had somehow been published by the incompetent WikiLeakS.org crew on BitTorrent, then only David Leigh could have decrypted it (assuming he was still in control of his PGP Keyring on his laptop computer) , even if he had published his own pass phrase in his book, rather than Julian's rather pompous one.

7-Zip compression

Then he realised it was zipped up - compressed using a format called 7z which he had never heard of, and couldn't understand.

The .7z file extension is used by 7-Zip . This is freely available over the internet, on various computing platforms and does offer more options for better compression than the standard .zip compression utilities which are built in to modern versions of the Microsoft Windows or Apple OSX operating systems, at the cost of longer compression times and more use of memory.

The 7-Zip Ultra compression option seems to be what the cables.csv file was compressed with down to i.e. only 21 % of its original size.

However to achieve this amount of compression on such a big file could take quite a while, perhaps up to an hour on an average PC. Unzipping is much quicker, a couple of minutes at most.

Compression is also built in to the PGP / GnuPG encryption software, but that produces a compressed file of about 640 MB i.e. about twice that of the of the 7-Zip version, about 41% of the original size of the monolithic cables.csv file.

Like most .zip compression software these days, 7-Zip also offers encryption, using the same AES 256 bit algorithm used by default by GnuPG / PGP, but Assange et al did not bother to make use of that.

He got back in his car and drove through the deserted London streets in the small hours, to Assange's headquarters in Southwick Mews

Assange was staying at Vaughan Smith's Frontline Club for investigative / foreign / war correspondent journalists, owned by Vaughan Smith, in whose Norfolk country estate has bedrooms at numbers 7 and 9 Southwick Mews

Now, isolated up in the Highlands, with hares and buzzards for company, Leigh felt safe enough to work steadily through the dangerous contents of the memory stick.

So, in the end, Julian Assange in fact actually handed over an unencrypted copy of the file to David Leigh, on an easily lost or stolen USB memory stick. If Assange really cared about protecting innocent people from evil governments, then he would not have allowed this to happen.

It is astonishing how the WikiLeakS.org cult propaganda machine has deluded itself that somehow it was David Leigh and The Guardian which was responsible for this cryptographic and internet publication incompetence, rather than the alleged technological privacy and anonymity expert Julian Assange and his supposedly expert helpers.

TextWrangler keyword search

Obviously there was no way that he, or any other human, could read through a quarter of a million cables. Cut off from the Guardian's own network, he was unable to call up such a monolithic file on his laptop and search through it in the normal simple-minded journalistic way, as a word processor document or something similar: it was just too big. Harold Frayman, the Guardian's technical expert, was there to rescue him. before Leigh left town, he sawed the material into 87 chunks, each just about
small enough to call up and read separately.

Probably 19 Megabytes for each of 86 chunks with a little bit left over in the 87th chunk.

Then he explained how Leigh could use a simple program called TextWrangler

TextWrangler is the "little brother" of BBEdit and is only available for the Apple Macintosh platform. David Leigh's laptop computer.is stated to have been a MacBook elsewhere in the book.

to search for key words or phrases through all the separate files simultaneously, and present the results in a user-friendly form.

So why had Julian Assange or his WikiLeaks acolytes not already broken the 1.6 Gigabyte file down into usable chunks and zipped them up into, ideally, several archive files for their mainstream media partners ?

This WikiLeak.org blog has criticised them in the past for not offering (multiple) floppy disk or even CD-ROM sized versions of their whistleblower leaks documents, as well as just large monolithic files.

Not everybody, especially people in third world countries under repressive governments, or even people using mobile internet devices, has access to fast broadband internet connections.

Is this the end of WikiLeakS.org ?

Now that WikiLeakS.org have no more secrets left to publish, will they actually get around to re-inventing themselves and re-launching a secure anonymous system without the destructive influence of Julian Assange ?

Or will the cult continue regardless and just get dragged into long legal cases ?

More evidence that Wikileaks' abuse of Twitter, instead of issuing proper, detailed Press Releases on their official website, gives the impression of either incompetent "investigative journalism" or just plain anti-US Government hate propaganda.

When did this happen ? Is that the then US President or the Romanian President doing the promising ? What sort of "killing" ?

It turns out to be the newly elected Romanian President, back in 2005 (over 6 years ago). The "killing" turns out to have the result of a traffic accident, probably involving drink driving by the US Marine who had diplomatic immunity as part of the US Embassy staff.

If you take this selective misquote from the diplomatic cable at face value you get the impression that the US Marine was to get off scot free due to some sort of political deal.

However if you actually bother to read the diplomatic cable which Wikileaks have published, in their current, "we don't care about anybody's personal information" data dump:

25.(C) Finally, the December 2004 accident involving the U.S. Embassy Marine Security Guard detachment commander that led to the death of Romanian rock star Teo Peter received wide press coverage and created public outcry. Basescu and his government are under considerable political pressure to make sure justice is done in a Romanian Court. Naturally, given that Marine Corps legal proceedings against the former detachment commander have not even begun, the question of extradition and lifting of the Marine's immunity cannot even be addressed at the present time. Nevertheless, PM Tariceanu and FM Ungureanu may ask for the Marine's return, possibly repeating a promise made earlier to our Ambassador by Basescu that the former detachment commander would receive a fair trial and, regardless of outcome, would not serve a single day in prison in Romania.

The deliberate omission of the words "in Romania" completely changes the meaning of the Tweet.

The democratically elected government of Romania is promising a fair trial and repatriation to the USA to serve any prison sentence , if the US Marine was to be found guilty of any charges. This is the normal, civilised state of affairs with most Extradition treaties around the world.

If this deliberately misleading Tweet was from the army of Wikileaks cult hangers on, that would be bad enough. Wikileaks could, if pushed, issue an apology, and disassociate themselves from such alleged "supporters".

However this distortion of the truth is from the "official" Julian Assange controlled

https://twitter.com/wikileaks feed.

Any post-Wikileaks whistleblower websites should learn the lessons from Wikileaks and Julian Assange's increasingly inept handling of the mainstream media and social media.

The levels of disinformation, hype and spin which Wikileaks now relies on make them at least as untrustworthy as any Government or big business public relations spin doctors and propagandists.

The mainstream media have plenty of other, more current, more newsworthy stories to report on, so the effect of the publication of these diplomatic cables is now increasingly marginal and they are only of academic interest to future historians and to the world's intelligence agencies.

Why is there still no functioning WikiLeakS.org document submission system ?

It is puzzling why WikiLeakS.org, with all its army of cult followers and vastly more money than many other whistleblowing websites, has not re-launches itself with a secure, anonymous whistleblower leak submission system, so many months after it shut down.

See LeakDirectory.org for links to many of these and some analysis of the anonymity and security strengths and weaknesses of several of them.

The answer must be that Julian Assange does not want to relinquish any control or to be democratically accountable or transparent.

N.B. to be clear this WikilLeak.org blog is very often critical of Julian Assange for his control freakery, deceit, and disregard for other people's private personal data, but we do not think that he should be extradited to the USA to face espionage or other charges.

The European Arrest Warrant should not be allowed to be used to extradite Assange to Sweden from the United Kingdom for "investigation" purposes, without cross examination in a UK Court of prima facie evidence against him in the sordid sex allegations case.

This is only the second expulsion of a member in the 30 year history of the Chaos Computer Club - the previous one was, apparently some neo-nazi who had been abusing their infrastructure.

There is no mention of this bickering on either the official https://ccc.de or https://openleaks.org web pages, the participants have, instead decided to give interviews to the media, without bothering to inform their supporters directly (a couple of thousand of whom were gathered at the campsite).

(click for a larger screenshot image of https://leaks.taz.de in a new window)

From 12th to 14th of August 2011 this public platform is offered by German daily taz die tageszeitung, German weekly der Freitag, Portuguese weekly Expresso, Danish daily Dagbladet Information as well as the consumer protection organization Foodwatch; in cooperation with OpenLeaks. During this time you can upload documents, which will be worked on by the involved parties.

The goal of this setup is to invite you to do a security evaluation of the system during the Chaos Communication Camp 2011.

Obviously, most of the people at the CC campsite were busy with the many other projects and causes, but some of the people with expertise and experience of whistleblowing website anonymity and security infrastructure, and relations with the mainstream media, were present and may have contributed to the discussions and the preview "testing".

As anybody who has attended these sort of hacker conventions should know, the mere act of putting up a webs server on the campsite network, will mean that it will be "stress tested" in a very hostile network environment, with lots of port scans and probes and attempts to hack into it and run denial of service attacks, but these would also happen if it was hosted at a major data centre.

But that should not be the only proper testing that the system gets before going live, a point on which here we agree with the CCC and which Daniel Domscheit-Berg also probably agrees with.

Endorsement by mainstream media brand names mentioned above provide far more public trust and credibility, whatever that is actually worth regarding a currently non-operational system, than any (non-existent) "CCC" branding or approval.

The CCC have never been known for having any kind of "approved by the CCC" branding or "approval" of computer or telecommunications projects and they are deluding themselves if they think they would ever be trusted internationally if they did so.

The CCC leaders' action (it is a properly registered legal entity with a board of directors, a constitution etc.) now gives the impression of siding with Julian Assange (who was never a member) against Daniel Domscheit-Berg.

As mentioned in his book, Daniel Domscheit-Berg and the other former WikiLeakS.org technical staff defector "the Architect", took away their own intellectual property and thereby disabled the "improved" WikileakS.org submission system

Julian Assange and his cult of supporters have never bothered to replicate even the shaky anonymity and security infrastructure which they were left with or re-launch a different, better, whistleblower leak submission and publication system, despite having plenty of volunteers and money to do so.

The president of the CCC Andy Müller-Maguhn, who some of us once elected to the board of the ICANN which regulates internet domain name registration and appeals procedures, seems to have been trying to mediate between Julian Assange and Daniel Domscheit-Berg for nearly a year over the return of this encrypted data to Julian Assange.

Since there is no evidence that the current WikiLeakS.org team is capable of handling the data securely (their current website does not even bother to use an SSL / TLS Digital certificate any more) they cannot be trusted any more than Daniel Domscheit-Berg can be.

The current OpenLeaks.org project may not yet have published its software as an Open Source project, which is what the purists at the CCC would like, but then neither has WikiLeakS.org nor any other whistleblower website.

Even if they did so, there is no guarantee that the specific computer and networking configuration settings and infrastructure used by a particular website are not actually counteracting any anonymity or security functions built in to the Open Source software.

All that the CCC board needed to do was to issue a press release making it clear that there was no official CCC endorsement of the OpenLeaks.org project.

The breakdown in mediation attempts the CCC may have tried between Julian Assange and Daniel Domscheit-Berg are not proper grounds for expelling the latter from the Club.

Some of the wrongdoers who have something to hide from public scrutiny and might therefore fear the OpenLeaks.org project, will be smiling to themselves at this display of disunity amongst the German section of the tiny minority of people around the world with the technical skills and attitude to make a difference.

Expelling Daniel Domscheit-Berg, without also criticising the current WikiLeakS.org cult, has damaged the reputation of the Chaos Computer Club internationally.

What about the Wau Holland Foundation and OpenLeaks.org ?

The registered charity the Wau Holland Foundation, which is controlled by CCC sympathisers, may not now be available the Openleaks.org project, as a channel for receiving financial donations from supporters, a service it currently performs for WikiLeakS.org.

If OpenLeaks.org gets some money from its media partners, this may not matter too much, but until there is a virtuous circle of whistleblower trust and actual mainstream media publication of leaks via OpenLeaks.org, they will always be short of money.

OpenLeaks.org may still be able to make use of PayPal etc., to receive financial donations from individuals, something which WikiLeakS.org no longer can do, as they have managed to annoy and get banned over the years, due to their lack of financial transparency and their perceived anti-American political bias.

About this blog

This blog here at WikiLeak.org (no "S") discusses the ethical and technical issues raised by the WikiLeakS.org project, which is trying to be a resource for whistleblower leaks, by providing "untraceable mass document leaking and analysis".

These are bold and controversial aims and claims, with both pros and cons, especially for something which crosses international boundaries and legal jurisdictions.

This blog is not part of the WikiLeakS.org project, and there really are no copies of leaked documents or files being mirrored here.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

Before you send an email to this address, remember that this blog is independent of the WikiLeakS.org project.

If you have confidential information that you want to share with us, please make use of our PGP public encryption key or an email account based overseas e.g. Hushmail

LeakDirectory.org

Now that the WikiLeakS.org project is defunct, so far as new whistleblower are concerned, what are the alternatives ?

The LeakDirectory.org wiki page lists links and anonymity analyses of some of the many post-wikileaks projects.

There are also links to better funded "official" whistlblowing crime or national security reporting tip off websites or mainstream media websites. These should, in theory, be even better at protecting the anonymity and security of their informants, than wikileaks, but that is not always so.

New whistleblower website operators or new potential whistleblowers should carefully evaluate the best techniques (or common mistakes) from around the world and make their personal risk assessments accordingly.

Hints and Tips for Whistleblowers and Political Dissidents

The WikiLeakS.org Submissions web page provides some methods for sending them leaked documents, with varying degrees of anonymity and security. Anybody planning to do this for real, should also read some of the other guides and advice to political activists and dissidents:

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link: http://ht4w.co.uk

WikiLeakS Twitter feeds

The WikiLeakS.org website does not stay online all of the time, especially when there is a surge of traffic caused by mainstream media coverage of a particularly newsworthy leak.

Recently, they have been using their new Twitter feeds, to selectively publicise leaked documents to the media, and also to report on the status of routing or traffic congestion problems affecting the main website in Stockholm, Sweden.

N.B.the words "security" or "anonymity" and "Twitter" are mutually exclusive:

Campaign Button Links

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid.com - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."